Netflix Unveils ‘FIDO’: An Open Source Incident Response Tool

Netflix announced on Monday the open source release of its very own system designed to analyze and categorize security events, and automatically respond to urgent incidents.

The popular streaming service released its Fully Integrated Defense Operation, dubbed FIDO, after its implementation more than four years ago.

“The idea for FIDO came from a simple proof of concept,” wrote Netflix’s Rob Fry, Brooks Evans and Jason Chan in a blog post.

“Our process for handling alerts from one of our network-based malware systems was to have a help desk ticket created and assigned to a desktop engineer for follow up – typically a scan of the impacted system or perhaps a re-image of the hard drive,” explained the team.

Like many other organizations, the company’s resources for examining an abundance of security-related alerts were limited.

“The time from alert generation to resolution of these tickets spanned from days to over a week,” the Netflix engineers said.

With the process for investigating these alerts being labor intensive and largely manual, the team believed it could cut down resolution time by automating the alert-to-ticket process, using the help desk system’s API.

Now, the team describes FIDO as “an orchestration layer that automates the incident response process by evaluating, assessing and responding to malware and other detected threats.”

FIDO begins by receiving an event from one of its detectors, such as firewalls, IDS, or anti-malware systems. Once an event is detected and received, FIDO provides a deeper analysis of the event using internal and external data sources to help identify the event’s target, if the event could be a false positive, or how serious and pervasive the threat may be.

Source: Netflix

“Once internal and external data has been gathered about a given event and its target(s), FIDO seeks to correlate the information with other data it has seen and score the event to facilitate ultimate disposition,” they wrote.

Based on the threat data and score calculated, FIDO determines the next action to execute, such as storing the information for later analysis, sending an email to the security team, or taking more complex and proactive measures like disabling an account or a network port.

Although the in-house tool has been released under an open-source license on GitHub, the team added they have a number of features and improvements planned, including an administrative UI with dashboards and additional external integrations.

FIDO is one of several open source security tools Netflix has made available to the community. Last year, the company released Scumblr, Sketchy and Workflowable – tools the company uses to monitor the Internet for planned DDoS attacks.